Qepto Tools logoQepto ToolsFree online calculators
← Back to blog
Security·5 min read·

How to Generate a Secure Password: Best Practices in 2026

A strong password is your first line of defence against unauthorised access. Yet most people still use weak or reused credentials — not because they do not care, but because the rules around what "strong" actually means are often vague or contradictory. This guide explains the underlying concepts and practical choices so you can generate and manage passwords that will hold up.

What makes a password strong: entropy

Password strength is measured in bits of entropy — the amount of unpredictability in the password. Entropy is calculated as log₂(C^L), where C is the size of the character set and L is the length. A 12-character password using uppercase, lowercase, digits, and 32 common symbols (C = 94) has roughly 78 bits of entropy: log₂(94^12) ≈ 78.8.

At 78 bits, even a cluster of GPUs capable of one trillion guesses per second would take billions of years to exhaust all possibilities by brute force. The practical threshold for a strong password in 2026 is considered to be at least 72–80 bits of entropy, which corresponds to roughly 12 characters from a full character set or 16+ characters from letters and digits only.

Random passwords vs. passphrases

A randomly generated password like "k#9Wm!rT2vLp" is high entropy and resistant to brute force, but it is hard to remember and easy to mistype. A passphrase — a sequence of random words such as "correct-horse-battery-staple" — can achieve similar or higher entropy while being far more memorable.

A four-word passphrase drawn from a dictionary of 7,776 words (the EFF wordlist) has entropy of log₂(7776^4) ≈ 51.7 bits. Five words reaches about 64.6 bits, and six words gives around 77.5 bits — comparable to a 12-character random password. Passphrases are particularly good for master passwords (password managers, full-disk encryption) where you need to type them by hand.

Common mistakes to avoid

Substituting letters with look-alike numbers (p4ssw0rd) adds almost no entropy — attackers apply these substitutions automatically. Using a meaningful word with a number and exclamation mark appended (password123!) is one of the most common patterns in leaked credential databases. Adding capital letters only at the start of a word also provides minimal security.

Reusing passwords across sites is the most dangerous practice. When one site is breached (and breaches happen constantly), attackers immediately test the leaked credentials against other services — this is called credential stuffing. A unique password for every account, even a moderately strong one, is far safer than a very strong password used everywhere.

The case for a password manager

A password manager solves the memorability problem entirely. You only need to remember one strong master password; the manager generates, stores, and auto-fills a unique random password for every site. Leading options include Bitwarden (open-source, free tier), 1Password, and KeePassXC (local storage, no cloud).

When generating passwords through a manager, use at least 16 characters with all character classes enabled. Length matters more than complexity above a certain point — a 20-character all-lowercase random string is stronger than a 10-character mixed-case string. Our password generator creates cryptographically random passwords entirely in your browser — nothing is transmitted or stored.